Ransomware Attack Affects 500,000 PatientsLargest Such Incident Listed So Far on the 'Wall of Shame'
A ransomware attack on a provider of oxygen therapy and home medical equipment has resulted in the second largest health data breach posted on the federal tally so far this year. It's also the largest ransomware-related incident listed on the "wall of shame."
Airway Oxygen, based in Grand Rapids, Mich., says in a statement that on April 18, its anti-virus software alerted IT employees that a ransomware attack was in progress against its systems.
"An investigation revealed that the intruders had access to patient health information for approximately 550,000 current and past customers of Airway Oxygen," the company says. "Additionally, the personal information of approximately 1,160 current and former employees of Airway and its sister company were also compromised."
The incident is listed on the Department of Health and Human Services' Office for Civil Rights' tally of health data breaches impacting 500 or more individuals as a hacking incident reported on June 16 affecting 500,000 individuals.
An Airway Oxygen spokesman explained to Information Security Media Group on June 28 that the different figures listed by the company in its statement and on the HHS website regarding the number of affected individuals is due to some of the impacted people being vendors and employees rather than current or former patients of the company. Also, as the company is providing notification, "the numbers are trending downward" in terms of total individuals affected due to some former patients being deceased, he says.
In its statement, the company says the incident "was a highly sophisticated attack, which we believe may have been carried out from an offshore location." The company's spokesman declined to say how much of a ransom was demanded by the attackers or whether Airway Oxygen had paid the extortionists.
"We became aware of the breach soon after as it was occurring ... [and] immediately took steps to secure the system," the company says. "Hackers encrypted our data files. For safety sake we must assume all of our data may have been compromised," the company says in its statement.
A notification letter being mailed by Airway Oxygen says that upon learning of the incident, the company scanned its entire internal system; changed passwords for users, vendor accounts and applications; conducted a firewall review; updated and deployed security tools; and installed software to monitor and issue alerts on suspicious firewall log activity.
"We have reported the incident to the FBI and will cooperate with their efforts," the company says. "We have hired a cybersecurity firm to assist in conducting an investigation to assess the cause and impact of the breach. In addition, we are identifying further actions to reduce the risk of this situation recurring."
Protected health information impacted in the breach includes names, addresses, birth dates, telephone numbers, diagnosis, the type of service providing and health insurance policy numbers.
Also, the company's server holds information about both past and present employees, so that information may also be at risk, Airway Oxygen says.
The company's spokesman on June 28 told ISMG that the ransomware situation has been mitigated and all Airway Oxygen operations are back to running normally.
Reporting Ransomware Incidents
As of June 26, the Airway Oxygen breach was the second largest breach added to the wall of shame in 2017. The largest incident added so far this year was reported by Bowling Green, Kentucky-based Med Center Health, owned by Commonwealth Health Corp. That incident, affecting 698,000 individuals, involved a former Med Center Health employee who allegedly obtained patient information on an encrypted CD and encrypted USB drive, "without any work-related reason to do so," the company said in a March statement.
Of 1,961 breaches listed on the wall of shame since 2009, only 11 are described as involving ransomware. The Airway Oxygen breach is the largest of those incidents.
Last July, OCR issued guidance for covered entities and business associates instructing them that in most cases, ransomware attacks are reportable breaches. Nevertheless, relatively few have been added to the tally. Some privacy and security experts say that could be due to lingering uncertainty about whether these incidents indeed need to be reported to federal regulators.
"We still hear some confusion out there with respect to exactly what the guidance means, but based on the incidents we have been involved in, many do not trigger the notification requirements," says Mac McMillan, president of the security consulting firm CynergisTek.
"They are all breaches, but you still have to investigate to determine if compromise occurred before deciding to notify. In some cases, it is difficult to determine the level of access the attacker may have had, which contributes to organizations being cautious about reporting."
Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy, says that that despite the guidance, she too sees reluctance from some organizations to report ransomware incidents to regulators. "Many do not report them as breaches because, even though the OCR has explicitly communicated multiples times they are indeed reportable breaches, I continue to see flawed logic and bad advice in discussions posted on LinkedIn, in vendor white papers, etc. that wrongly state that ransomware is not, and should not, be considered as a PHI breach," she says. "So, when the covered entity executives see this, they tell their folks not to report ransomware attacks."
Regardless, Herold predicts more ransomware incidents will be added to the wall of shame this year as campaigns continue to target the healthcare sector. That's because, for example, many covered entities and business associates do not do a good job at making full backups of all systems, applications and data, which makes them vulnerable to extortionists, she says.
McMillan says ransomware attacks spotlight the need for organizations to employ two-factor authentication on any remote connections or web-based access.
"Generally the attacker needs some level of privilege that gives the ability to download and execute their malware, [so organizations should] remove administrative privilege through vaulting, or at the very least apply two-factor authentication on elevated privileges. Increase the level of segmentation to protect critical systems and databases with real access restrictions," he says.
McMillan also recommends deploying advanced malware detection both on the network and end points.